The three things we know about public cloud. Or do we?

There’s what we know about the cloud, and there’s what we think we know.

That’s just to say that a lot of assumptions about the cloud, including those that draw organizations to it, are often only true sometimes. And in some cases, what people assume they know about the cloud should never be true.

Here we look at different sides of three common cloud assumptions.

No. 1: The Cloud Is Cheaper

While great savings can be realized in the cloud, it may not be obvious at first glance. The first concept that must be reconsidered is the idea of the server. With more than two-thirds of monthly cloud spend going to the compute unit, the fastest way to witness cash evaporate into the cloud is to match the CPU, RAM and disk specifications of a physical steel server, launch it in the cloud, and let it run continuously around the clock the same way it operated in your physical datacenter.

The single largest cost savings can come from right-sizing your instances for the applied workload. This can be accomplished by ensuring machines are stateless, disposable and that their applications are designed to be scaled out, not up.

For those unfamiliar with this concept, the idea is to launch many small boxes and balance the load accordingly, instead of increasing the size of the single box.

For instance, of your application requires writing to a backup database once at 3 a.m. for a time window of one hour, you could pay exponentially more an m3.xlarge instance on Amazon Web Services if it was run 24×7, compared to the same instance if it was launched for the one hour per evening required by the backup window.

Finally, for the instances that will run always-on, take advantage of the massive savings offered by up-front payment. Cloud providers often offer deep discounts for always-on instances, once you identify workloads that require permanence.

No. 2: The Cloud Is More Secure

Public cloud providers hold certification bases that include PCI, HIPAA, SOC1, DSS and ISO 27001, with some achieving DIACAP Level 2 for DoD systems. From the physical and underlying infrastructure security perspective, they are far more secure than most data centers in the world. After all, the CIA had Amazon design their internal cloud.

The top-tier providers will only reveal the general region of the planet where these multi-data center campuses reside. Want a physical tour? To kick the tires? Get a look, so you can make sure it’s secure? Forget it.

However, security is a shared responsibility, and all those certifications are meaningless without first considering security policies, access lists, subnet configuration, machine level patching and application security. If you’re running Infrastructure-as-a-Service (IaaS), you must ensure your machines are kept up to date.

If you fire someone and forget to remove them from the access control list, bad things can still happen. The lesson to remember: Just because it’s in the cloud, that doesn’t mean you can abandon your classic security practices surrounding web application firewalls, intrusion detection, audit logging, and multi-factor authentication.

3: You Must Go All-In

This just isn’t true. Everyone we’ve consulted and spoken to in the industry approached cloud migration in phases. Many follow steps similar to those laid out below:

Go with the low hanging fruit with little risk. Backup and archive are great places to start. Who doesn’t want to ditch tape and off-site archival services?

Move on to development and test environments. The developers can run their instances during the workday and then shut them down at night when they leave. No more waiting on the infrastructure team for VMs.

Move on to disaster recovery with a site (or, in cloud parlance, an availability zone) in a different geographic region using a pilot light strategy.

Once you’ve moved these non-mission-critical workloads to the cloud, it’s time to start crafting production workload proof-of-concepts. Take an application that has a small user base with a less-than-critical payload and migrate it to the cloud. An internal blog hosted on WordPress would be an ideal example application.